Graduate Project

Design and implementation of TACACS+ on a scalable enterprise based IP network

As corporate offices are geographically distributed, securing and managing networks has always been increasingly challenging. These offices have both highly confidential mission and business critical data forwarding between different sites and requires high degree of network security from all possible aspects. As more sites converge, careful design and planning must occur to assure that the quality, reliability and security of network is not affected. This project proposes a scalable TACACS+ architecture that can be implemented by Universities, Enterprises and Internet Service Providers. The proposed architecture facilitates easy integration of network domains and centralized manageability to provide Authentication, Authorization and Accounting (AAA) services to establish network connectivity to multivendor network elements. It also resolves two identified major issues. One, long end-to-end round trip network user authentication delay and second, lack of centralized manageability leading to unauthorized user-access regardless of job function. These two issues are addressed in two project phases. The first phase involves creating a prototype of an enterprise based end-to-end IP network. This prototype is designed and deployed with two sites represented as regional sites in different Autonomous Systems (AS). The second phase involves deployment of a centralized TACACS+ environment. The proposed project is implemented using Cisco networking appliance. With the successful implementation of these phases, a secure and centralized TACACS+ model was deployed with one single point to provide global administration. To compare network performance analysis during different time periods, a pre-production ACS server is deployed in a regional GAR site in Penang to provide AAA services. The average performance during peak time is improved by 87.1% and the average performance during off peak time is improved by 89.2%. Secondly, the average hop count for devices in Penang, where the AAA server is actually integrated, is improved by 75%. And the average hop count for devices in other sub-regions is improved by ~50%. Finally, with a hierarchal IP network design the end-to-end back and forth authentication request and response messages are specific to dedicated slaves in dedicated regional domains, hence reducing immense noise on network core layer.

Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.